Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:121141 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 50218 invoked from network); 25 Sep 2023 19:43:59 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 25 Sep 2023 19:43:59 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 3B9D018005C for ; Mon, 25 Sep 2023 12:43:58 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-wr1-f50.google.com (mail-wr1-f50.google.com [209.85.221.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 25 Sep 2023 12:43:57 -0700 (PDT) Received: by mail-wr1-f50.google.com with SMTP id ffacd0b85a97d-3214d4ecd39so6077628f8f.1 for ; Mon, 25 Sep 2023 12:43:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=datadoghq.com; s=google; t=1695671036; x=1696275836; darn=lists.php.net; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Q3fEbyXWgzCJelUeePrFFc87cyfwmbRRnbkHS/1zW+w=; b=hYEKSOztc0jp6x5WfN4G9Z+U/zYnzK9UsumVZKxKPo32PC64lBeczgZ5g9xKyPA4jW /hdZ0VaHk3f0uO0gvsWD94JLWSB+caqrJ8EazEYA04tKhP0tQ2iZGLPL01BTWkTMUQ7A r6w4fP7ZkfB0CtqhblDEU6g/WYOXKARB007sg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695671036; x=1696275836; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Q3fEbyXWgzCJelUeePrFFc87cyfwmbRRnbkHS/1zW+w=; b=NBl5l+8mpea69JYrK5uFJ5Lvc/sj2vyhORCqAnXZR6bK+7x8FsoxnHXzq9v1tv+XHi 4WbJNpkqgXVtXD2DsaRTo64gh2PfjeEleoRxME9w6c6WluofkS/pMgvjgzbp4aq0KBoA DEu3G1FCS+2UXTcrd/MOlk5XkbxExZuWUgwxW/kZvabP2/9yxexJKF0NoibFLpHdXiLG KryZUSbfxZqHt68Wr0Mxtds7l33W3+GhOpPQ3LglywuDayIGJi5raZJDeDE5Bbwoa1uB 5FWNm3OlMrSjjdztcT5Q+TdYKhN7Cc0CYYwWtKH/vBTVcMxd9fnBKUO4dkX3TappewOF UO7w== X-Gm-Message-State: AOJu0YyUs+XOCnk5Id41uZfF7C3pdRxZLcTmjMyX7Vj569+Op3YL7HHx H0EJ3xXCXew6eItEHvwRBavS+uCP9r7wPDz8afJcYHQOirmKjeY1gr47xGGd X-Google-Smtp-Source: AGHT+IFzFbZlJjlSfmEGcMXZa95Jh7DV8CTth/AmYCoL/tAsMNHGIpX2jhLn0bUnUXQ9BC2bl52GQ7WSshxorj9XRhA= X-Received: by 2002:a5d:5347:0:b0:321:6429:c977 with SMTP id t7-20020a5d5347000000b003216429c977mr6063852wrv.62.1695671036045; Mon, 25 Sep 2023 12:43:56 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Reply-To: Levi Morrison Date: Mon, 25 Sep 2023 13:43:44 -0600 Message-ID: To: =?UTF-8?Q?Tim_D=C3=BCsterhus?= Cc: PHP internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] [VOTE] Increasing the default BCrypt cost From: internals@lists.php.net ("Levi Morrison via internals") > Please find the following resources for your references: > > RFC Text: https://wiki.php.net/rfc/bcrypt_cost_2023 > Discussion Thread: https://externals.io/message/121004 > Feedback by a Hashcat team member on Fediverse: > https://phpc.social/@tychotithonus@infosec.exchange/111025157601179075 I did a tiny bit of my own research, and could not find any recommendations more specific than "10 or more" as the cost factor. Typically, the advice is "use a more modern system like argon2id". However, I did notice some sites mention that systems ought to check for a maximum length of 72 bytes when using bcrypt: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#input-limits As far as I can tell, PHP does not do this check. I am not sure if the implementation(s) used suffer(s) from the limitation that is the source of this recommendation. Perhaps someone has time to investigate this? Anyway, it's "future work." I have voted for 11, but will not be hurt in any way if 12 wins.